SoylentNews

Apparition writes:

AMD confirmed all thirteen Ryzen and EPYC chip exploits unveiled by CTS-Labs, which will be patched within weeks.

AMD has responded to the reports last week of a range of security flaws affecting its Platform Security Processor (PSP) and chipset. The company acknowledges the bugs and says that, in coming weeks, it will have new firmware available to resolve the PSP bugs. These firmware fixes will also mitigate the chipset bugs.

Israeli firm CTS identified four separate flaw families, naming them Masterkey (affecting Ryzen and Epyc processors), Ryzenfall (affecting Ryzen, Ryzen Pro, and Ryzen Mobile), Fallout (hitting only Epyc), and Chimera (applying to Ryzen and Ryzen Pro systems using the Promonotory chipset).

[...] AMD's response today agrees that all four bug families are real and are found in the various components identified by CTS. The company says that it is developing firmware updates for the three PSP flaws. These fixes, to be made available in "coming weeks," will be installed through system firmware updates. The firmware updates will also mitigate, in some unspecified way, the Chimera issue, with AMD saying that it's working with ASMedia, the third-party hardware company that developed Promontory for AMD, to develop suitable protections. In its report, CTS wrote that, while one CTS attack vector was a firmware bug (and hence in principle correctable), the other was a hardware flaw. If true, there may be no effective way of solving it.

[...] The striking thing about the bugs was not their existence but rather the manner of their disclosure. CTS gave AMD only 24 hours notice before its public announcement that it had found the flaws. Prior to reporting the problems to AMD, CTS also shared the bugs, along with proofs of concept, with security firm Trail of Bits so that Trail of Bits could validate that the bugs were real and could be exploited the way that CTS described. While the computer security industry has no fixed, rigid procedure for disclosing bugs to vendors, a 90-day notice period is far more typical.

This short notice period led Linux creator Linus Torvalds to say that CTS' report "looks more like stock manipulation than a security advisory."

This perception wasn't helped when short-seller Viceroy Research (which claims to have no relationship with CTS) said that the flaws were "fatal" to AMD and, that its share price should drop to $0, and that the company should declare bankruptcy. Such a valuation is obviously absurd: the PSP is non-essential (some Ryzen firmware allows it to be disabled, albeit at the loss of some functionality), its flaws can be repaired with a firmware update, and the flaws can only be exploited by an attacker with superuser access to the system. To suggest that such bugs should not merely hurt AMD's share price, but drive the company out of business entirely, with nothing salvageable from the Zen architecture, AMD's x86 license, its long-term contracts with Microsoft and Sony, or its GPU architecture, plainly has no possible factual justification.

In addition, AMD wants an investigation of unusual stock trade activity due to the CTS-Labs' revelation of the thirteen Ryzen chip exploits.

[...] There's no evidence that of any of those holes has been used for malevolent purposes, and it would be extremely difficult to use any of them to attack computers, the Sunnyvale, California-based company said. AMD saw reports of unusual trading activity in its stock about a week ago when an Israeli company called CTS Labs went public with a report on the flaws and has reported it to the relevant authorities.

[...] "It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system," AMD's Chief Technology Officer Mark Papermaster said in the statement, referring to the recent report. "Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."

Previously: CTS-Labs Identifies Vulnerabilities in AMD Chips, Gives AMD Just 24 Hours' Notice

Original Submission